As I described in the first module of this course, cyber security is concerned with reducing the likelihood and effect of cyber attacks, however they originate, and whatever their motivation. Cyber attacks are directed at damaging information assets, the information and information processing resources that we wish to protect. This damage can take three main forms: unauthorized disclosure of data, unauthorized modification of data, and loss of availability of data or data processing resources. Measures that are put in place to enhance cyber security are known as security controls. In the context of an organization, cyber security management is concerned with managing all the security controls, including their selection, implementation, and their ongoing review and maintenance. There are many different types of security control, including both the technical and procedural. Examples of technical controls include: installing firewalls at gateways to computer networks, using encryption to protect data in transit or when stored, using intrusion detection systems that detect possible cyber attacks, and setting up individual user accounts and passwords. Procedural controls include establishing security policies, having defined vetting requirements for staff recruitment, requiring certain key tasks to be logged, and using audits to monitor the effectiveness of other controls. We often refer to the set of all the systems, procedures, and processes we set up to provide security as the information security management system, or ISMS. In larger organizations, there will typically be a team of members of staff concerned with managing cyber security for the organization, headed by a chief information security officer, or CISO. The security team and the CISO will obviously need to work closely with the team responsible for delivering information technology, but are often separately managed. As I mentioned in the first module, people are fundamentally important to security management and the ISMS. If the staff in an organization don't take security seriously, or regard it simply as a nuisance hindering their work, then cyber security will fail. That is, responsibility for cyber security lies with the entire organization and not just with the security team. There are many obstacles to achieving the goal of ensuring that all staff take security seriously, not least that security measures can often be seen to get in the way of people doing their jobs. For example, more effective user authentication, for example using two or more methods to check a user's identity, improves security but usually involves more staff time and effort. Pause the video for a moment and think about how you might try to ensure that staff have a positive view of security, even if some security controls cause some extra work. Hello again. It's difficult, if not impossible, to prevent security measures having some impact on user convenience. However, members of the security team must think very carefully when they impose new requirements on staff for the sake of security, and always try to ensure that security remains usable and justifiable, that is, being worth the trouble. Apart from this, there is a general need in any organization to develop a positive security culture. That is, to ensure that the generally prevailing set of attitudes towards security is positive. Developing such a positive security culture is a long-term process. Key elements in the process include, educating staff about security, making them aware of the risks the organization faces and the importance of security in addressing these risks, and ensuring that top management always follow the security rules. Raising understanding can be achieved through both formal training courses and less formal security awareness programs. It's always important that staff understand why they're being asked to perform security-specific tasks. As will be discussed in subsequent videos, there's a need for a systematic approach to the selection of security controls. That is, security controls should be selected based on a detailed understanding of the risks facing an organization as can be obtained from a formal risk assessment, in which the risks affecting the information assets are identified, analyzed, and evaluated, resulting in a prioritized list. Scarce resources can then be devoted to addressing the most serious risks. Of course, even before we can assess the risks, it's necessary to gain a detailed understanding of what the assets are, that is, to identify the scope of the ISMS. We also need to identify an owner for every asset who can take responsibility for accepting any residual risk after implementation of controls. That is, the person who owns an asset needs to be aware of, and accept, the risks that remain after any security controls have been implemented. Following the implementation of the security controls, the job isn't finished. Indeed, cyber security management is a task that never ends. There needs to be an ongoing review of the effectiveness of security controls, for example, involving regular penetration tests. The results of these reviews need to be used where necessary to update the risk register and associated risk analysis, as well as update the security controls. Similarly, any changes to the security landscape, for example, in the form of new threats, additions to the inventory of information assets, and all security incidents including attacks, successful or unsuccessful, need to be used to update the risk assessment and control set. In summary, the ISMS needs to be regarded as a dynamic set of controls and processes, rather than something static that is only updated periodically. In order to both ensure that the ISMS is doing its job, and provide a means of explaining how resources are being spent to organization decision-makers, it's very helpful to find ways of measuring the performance and effectiveness of an ISMS. Security dashboards are an increasingly popular way of providing real-time information on the performance of security systems. The idea is to provide a real-time summary of key security information in a readily understood form to decision-makers. But how might we go about measuring security? Please pause the video for a few moments and see if you can think of useful security metrics, that is, ways we can measure the effectiveness of an ISMS. Probably the most commonly used type of security metric is based on counting certain classes of security event over a period of time. For example, a system could give real-time information on the numbers of authentication failures, that is, failed attempts to authenticate to a system, attempts to connect to systems via the Internet, and alerts from network and host intrusion detection systems, perhaps subdivided into categories of alert. This statistical information can then be presented in a variety of visual forms, for example, as a continuously updated graph. Ideally, any dashboard system will also provide historical information for comparison purposes. Of course, if things are working well, the metrics will ideally indicate positive progress in improving security, for example, in terms of fewer breaches. However, more importantly it will enable those monitoring the system to gain a good idea of the magnitude of threats facing the organization and adjust their defenses accordingly. There are many products on the market designed to provide this type of information in a range of visual forms. Of course, this field relates closely to what has become known as Security Information and Event Management, SIEM, a term used to describe automated systems to combine and analyze information about detected security incidents. For example, a combination of alarms from monitoring systems may indicate that a security breach has occurred, which can then be further investigated. Security investigations need to be conducted by an appropriately trained team, sometimes known as the Incident Response Team or IRT. Members of the IRT will not only need to have a wide range of knowledge and understanding of the systems they're helping to protect, but they'll also need to have the authority to take steps to address serious incidents. Once a security breach has been detected, the organization will also need to ensure that it reports it to the interested stakeholders. Depending on the nature of the breach, there may be a legal requirement to notify key stakeholders within a short time period. For example, in the case of a breach to sensitive personal information, this may involve notifying a National Data Protection Authority, as well as individuals whose personal data has been compromised. Such notification requirements and methods needs to be planned for in advance as there's often very little time to ensure that all laws and regulations are complied with. Above all else, and as I just mentioned, it's vital to be aware that security management is never finished. It's an ongoing process incorporating, monitoring, and continuous improvement, details of which I'll explore further in the remainder of this module.
